Researchers Explore Passwords' Perils and Proper Use

NEWS ANALYSIS: Although researchers find that password manager technology is at risk of exploitation, that doesn't mean that passwords should be abolished.

Love them or hate them, passwords are a day-to-day reality in the modern world and can't be avoided. Although they are supposed to secure users, more often than not, they have been the mechanisms by which hackers are able to exploit users, too.
Passwords are not dead, nor should they be, but their responsible and proper use is in need of remediation. Security experts often recommend that users take advantage of password management systems and two-factor authentication, yet in recent weeks, both of those approaches have proven to be vulnerable to hacking, as well.
An examination of five popular Web-based password managers shows they are subject to multiple risks, according to a new paper from four researchers at the University of California at Berkeley.
"The root causes of the vulnerabilities are also diverse—ranging from logic and authorization mistakes to misunderstandings about the Web security model, in addition to the typical vulnerabilities like CSRF [cross-site request forgery] and XSS [cross-site scripting]," the research paper states. The study suggested that it remains "a challenge for the password managers to be secure."

Looking at password management specialist LastPass, the U.C. Berkeley research found and reported vulnerabilities in the use of one-time passwords (OTPs) as well as a feature known as "bookmarklets." In a blog post, LastPass noted that the vulnerabilities have now been fixed.

In an email to eWEEK, Joe Siegrist, CEO and co-founder of LastPast, said the firm is constantly testing its technology and working with researchers to improve security.
"In this case, the researcher notified us of the vulnerability, and it was fixed immediately," Siegrist wrote. "The reported issues applied to less than 1 percent of our users, and again there was no evidence of an exploit outside the test cases."
The basic idea behind a password manager is to provide a secure way for users to store and create password information for multiple sites and services. Some of the first commonly used password managers were built directly into Web browsers, which is also where some of the first known vulnerabilities were discovered. Back in 2006, Firefox 2.0 was impacted by a vulnerability that left Firefox Password Manager users at risk for months.

Two-Factor Authentication
Another key challenge is that if an attacker is able to get access to the user's password, they have access to the user's account. It's a single point of failure, which is never a good thing to have in a security context.
That's where two-factor authentication comes into play, providing a second layer of authentication. With two-factor authentication, a second password (or factor) is randomly generated by Short Message Service (SMS) text message or a mobile app (like Google Authenticator). At the end of June, researchers reported that eBay's PayPal service had a misconfiguration flaw with its two-factor implementation.
So to recap, passwords are a single point of failure, password managers have been demonstrated to have risk and so has two-factor authentication.
What is a user to do? Should passwords as a whole be abolished and wiped off the face of the Earth? Not so fast.
For more than a thousand years, humanity has relied on the use of keys, leveraging a simple lock-and-pin system to secure items and doors. For as long as physical keys have been used, there have also been lock-picks, crowbars and sledgehammers. That simple truism has not stopped the use of locks over the course of human history.
A lock is only one layer of physical security, just like a password is only one layer of virtual security. Even though password managers and two-factor authentication might have some limited risks, they represent additional layers of security beyond just a single username and password combination.
The fundamental truth is that no one system on its own, whether it's a lock and key, or a username and a password can comprehensively secure anything. They are all, however, essential and fundamental components of security.
Just like the lock and key have not gone away despite known risks, the username/password combination is not likely to disappear any time soon either.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.